Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
533
Views
0
Helpful
2
Replies

PIX VPN mesh with acess to multiple subnets at one of the sites?

Deliverance
Level 1
Level 1

‎06-17-2006 03:07 AM - edited ‎02-21-2020 12:58 AM

I wonder whether any of the experts in this group can help me.

I have three sites (a 'central' one, and two remotes), each with a single subnet, and that are interconnected with a PIX-PIX IPsec VPN mesh. The whole thing has worked flawlessly since originally set up a few months ago, in that it provides intervisibility between IP hosts at each of the three sites.

I now have to move some of the servers at the central site to their own subnet on their own VLAN (named 'Databases' at 192.168.3.0/24). I need to be able to provide connectivity to hosts on the Databases subnet/VLAN from the two remote sites. However, I just have not been able to make this work.

With the central and remote configurations that are attached, if I do 'debug packet Databases' and then ping a host on the Databases VLAN at Central from the remote site, I can see the echo packet being sent to the host on the Databases subnet/VLAN, and I can see the echo reply being sent back from that host to the central PIX.

I can also see the hitcount increment on the

access-list Databases_acl permit icmp any any echo-reply

rule (that is generated from the object group named 'ICMP-allowed') on the central PIX.

However, I do not see the encapsulated packets count increment on the PIX at the central site end of the IPsec SA with the remote site that originated the ping. And, needless to say, the host from which I sent the ping does not see any response.

Can anybody point me at what I've got wrong in the attached configs. Note that other required access to the Databases subnet/VLAN from the 10.0.0.0/24 subnet at the central site, and from two other subnets, 10.0.1.0/24 and 10.0.2.0/24, (that are each connected via a router) all works fine. The problem is only with the VPN-connected sites that have the 10.0.3.0/24 and 10.0.4.0/24 subnets on their inside interfaces. I realise that, in what follows, some of the ACLs show signs of my increasing desperation to get the required setup working:

Thanks.

Tim Levy

Preview file
11 KB
Preview file
15 KB
0 Helpful
2 Replies 2

grant.maynard
Level 4
Level 4

‎06-21-2006 08:29 AM

If "access-list DMZ1" shows hits but crypto ACL ("outside_cryptomap_21_acl") does not - this suggests NAT issue, even though config looks fine to me, though difficult to read.

"show local [Database_server_IP]" will show how it's being NATed.

Could you upload output of "show cry ips sa" from central and remote PIXs?

0 Helpful

Deliverance
Level 1
Level 1
In response to grant.maynard

‎06-21-2006 01:46 PM

Hi Grant, thanks for your reply.

> If "access-list DMZ1" shows hits but crypto ACL ("outside_cryptomap_21_acl")

> does not - this suggests NAT issue, even though config looks fine to me,

> though difficult to read.

It's the 'Databases' VLAN and access-list that is at issue. There is no problem

with the DMZ1 VLAN/ACL.

> "show local [Database_server_IP]" will show how it's being NATed.

: show local 192.168.3.20

: Interface DMZ1: 1 active, 1 maximum active, 0 denied

: Interface Databases: 1 active, 1 maximum active, 0 denied

: Interface inside: 22 active, 39 maximum active, 0 denied

> Could you upload output of "show cry ips sa" from

> central and remote PIXs?

Attached.

Thanks again.

Tim Levy.

Preview file
11 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card